Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

4/9/2019
10:30 AM
Rick Holland
Rick Holland
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Stop Mocking & Start Enabling Emerging Technologies

Mocking new technology isn't productive and can lead to career disadvantage.

As security leaders, do we spend as much time trying to understand our businesses as we do trying to understand the threats we face? It seems that we focus intently on emerging threats, but what about emerging technology?

Successful adoption of emerging technology can lead to a competitive advantage. Yet we CISOs have a history of lambasting emerging technologies — cloud, mobile, machine learning, and now blockchain — discounting the value as "pure hype." This practice of mocking new technology isn't productive and can lead to career disadvantage.

Think about this scenario. A web application that is integral to a major new marketing campaign is about to launch and the security team is asked to assess it at the last minute. Sound familiar? As frustrating as this is, this scenario happens on a larger scale as a matter of course when it comes to emerging technology. Why?

A Digital Disconnect
As companies consider the role of emerging technology in their digital transformation journeys, security teams are often sitting on the sidelines. A lack of engagement with the business is a major contributing factor. Many security leaders still haven't made the time to understand how the company operates, how it generates revenue, and how it plans to continue to grow. Also to blame is the security community's kneejerk response is to bash and discredit emerging technologies. Blockchain is just the latest example. There are legitimate use cases for blockchain; supply chain management is just one.

One of the primary roles of security leaders is to understand and effectively communicate risk. Scoffing when another new technology emerges, prevents us from doing this. Instead, we need to better understand the benefits so that our revenue-generating business partners can safely utilize them.

Brace for Impact
Autonomous vehicles, consumer Internet of Things devices, 5G, 3-D printing, and drones are just a few of the new technologies highlighted at this year's Consumer Electronics Show. They're on the verge of going mainstream now and should already be on your radar if your business can take advantage of them in any way. For some technologies in earlier stages of development, check out Soonish: Ten Emerging Technologies That'll Improve and/or Ruin Everything by Kelly and Zach Weinersmith. Think about the security implications associated with bioprinting or, even further out, brain computer interfaces.

In this "The World Is Flat" global environment, security leaders must understand that emerging technology can lead to first-mover and competitive advantage. How can CISOs prepare for the risks that new technologies can introduce to the organization? Here are five lessons I've learned that can help:

  1. Don't just focus on the adversary; focus on your business. Spend time talking to business leaders to truly understand how your company operates. Review marketing plans, technology road maps, financial reports, forecasts, and business development plans. Build a relationship with a board member to understand longer-term goals and pressures on the business. If you don't understand your business model, you have little chance of building an effective threat model for your program.
  2. Do more "homework" by talking to internal resources. Meet with the CTO and line-of-business CTOs periodically because those teams assess new technologies. If your business has an enterprise architecture team, try to get one of your resources regularly engaged with team members. Those teams are at the forefront of digital transformation initiatives, and security and privacy should be key components of those efforts. Many organizations start their annual planning in late summer, so use budget season to your advantage. Work with business leaders to understand the emerging technology they want to deploy and are including in their upcoming budgets.
  3. Make a concerted effort to track emerging technology. Get on the road and start attending conferences focused on your industry and the new technologies and services that are becoming available to address challenges and create opportunities. Reading what industry analysts have to say about top emerging technologies to watch is a good way to know if you've covered your bases. You should also monitor early adopters in your space by looking at their Securities and Exchange Commission filings, annual reports, and press releases. You can use Google alerts to track them. Of course, if you're learning from your competitors then chances are you're already late to the game — but it's better to know than not.
  4. Start understanding the risks of emerging technology. Actually using a new technology is the best way to see how it may introduce risk to your organization. Get it into one of your labs or talk to the business engineers who already have it in their labs to leverage their knowledge and expertise. If you don't have the skill set, resources, or time, then work with consultancies or security researchers to take advantage of their capabilities so you can get up to speed faster.
  5. Finally, don't believe the hype. Just because #INFOSEC Twitter makes fun of something doesn't mean you should discount it. Don't blindly buy into the negative hype around emerging technology. Ubiquitous vendor marketing also does us no favors as it predisposes us to cynicism. Skepticism is OK, just be objective as you evaluate the emerging technology.

Remember it is our job to understand and communicate the risk of emerging technologies. An approach like Gandalf the Gray screaming "you shall not pass to emerging technology" is not advisable. Your organization, and your career, are better served with something like, "you can pass; however, we need to make sure that you understand the risks associated with taking this path."

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Rick Holland has more than 14 years experience working in information security. Prior to joining Digital Shadows, he was a vice president and principal analyst at Forrester Research, providing strategic guidance on security architecture, operations, and data privacy. Rick ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
MITRE Releases 2019 List of Top 25 Software Weaknesses
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2019
Preventing PTSD and Burnout for Cybersecurity Professionals
Craig Hinkley, CEO, WhiteHat Security,  9/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-9717
PUBLISHED: 2019-09-19
In Libav 12.3, a denial of service in the subtitle decoder allows attackers to hog the CPU via a crafted video file in Matroska format, because srt_to_ass in libavcodec/srtdec.c has a complex format argument to sscanf.
CVE-2019-9719
PUBLISHED: 2019-09-19
A stack-based buffer overflow in the subtitle decoder in Libav 12.3 allows attackers to corrupt the stack via a crafted video file in Matroska format, because srt_to_ass in libavcodec/srtdec.c misuses snprintf.
CVE-2019-9720
PUBLISHED: 2019-09-19
A stack-based buffer overflow in the subtitle decoder in Libav 12.3 allows attackers to corrupt the stack via a crafted video file in Matroska format, because srt_to_ass in libavcodec/srtdec.c misuses snprintf.
CVE-2019-16525
PUBLISHED: 2019-09-19
An XSS issue was discovered in the checklist plugin before 1.1.9 for WordPress. The fill parameter is not correctly filtered in the checklist-icon.php file, and it is possible to inject JavaScript code.
CVE-2019-9619
PUBLISHED: 2019-09-19
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.